Skip to main content
The OpenID Configuration endpoint provides metadata about the OpenID Connect Provider, including supported endpoints, capabilities, and configuration parameters. This follows the OpenID Connect Discovery 1.0 specification.

Endpoint

GET /services/{service_id}/.well-known/openid-configuration

Path Parameters

service_id
string
required
The ID of the client/service. This identifies which service configuration to retrieve.Example: packet-delivery-portal

Overview

This endpoint returns the OpenID Provider metadata for a specific service, allowing clients to discover the configuration and capabilities of the authorization server dynamically. This eliminates the need for hard-coding endpoint URLs and supported features.
The OpenID Configuration endpoint is publicly accessible and does not require authentication. It’s designed to enable automatic discovery of the provider’s capabilities.

Response

The endpoint returns an OpenID Provider Metadata object conforming to the OpenID Connect Discovery specification.

Response Schema

issuer
string
required
The issuer identifier URL. This must be identical to the value used in issued tokens.Example: https://api-test.ebsi.eu/authorisation/v4
authorization_endpoint
string
required
URL of the OAuth 2.0 Authorization Endpoint where authorization requests are sent.Example: https://api-test.ebsi.eu/authorisation/v4/authorize
token_endpoint
string
required
URL of the OAuth 2.0 Token Endpoint where token requests are sent.Example: https://api-test.ebsi.eu/authorisation/v4/token
presentation_definition_endpoint
string
URL of the endpoint that provides presentation definitions for credential verification.Example: https://api-test.ebsi.eu/authorisation/v4/presentation-definitions
jwks_uri
string
required
URL of the JSON Web Key Set (JWKS) endpoint containing the provider’s public keys.Example: https://api-test.ebsi.eu/authorisation/v4/jwks
scopes_supported
array
required
Array of OAuth 2.0 scope values that this server supports.Example: ["openid", "didr_invite", "didr_write", "tir_invite", "tir_write"]
response_types_supported
array
required
Array of OAuth 2.0 response_type values that this server supports.Example: ["token", "code"]
response_mode_supported
array
Array of OAuth 2.0 response_mode values that this server supports.Example: ["query", "fragment"]
grant_types_supported
array
Array of OAuth 2.0 grant type values that this server supports.Example: ["vp_token", "authorization_code"]
subject_types_supported
array
required
Array of Subject Identifier types that this server supports.Example: ["public"]
id_token_signing_alg_values_supported
array
required
Array of JWS signing algorithms (alg values) supported for ID Tokens.Example: ["ES256", "RS256"]
request_object_signing_alg_values_supported
array
Array of JWS signing algorithms (alg values) supported for Request Objects.Example: ["ES256", "RS256"]
request_parameter_supported
boolean
Boolean value indicating whether the provider supports use of the request parameter.Example: true
token_endpoint_auth_methods_supported
array
Array of client authentication methods supported by the token endpoint.Example: ["private_key_jwt", "client_secret_basic"]

Response Examples

{
  "issuer": "https://api-test.ebsi.eu/authorisation/v4",
  "authorization_endpoint": "https://api-test.ebsi.eu/authorisation/v4/authorize",
  "token_endpoint": "https://api-test.ebsi.eu/authorisation/v4/token",
  "presentation_definition_endpoint": "https://api-test.ebsi.eu/authorisation/v4/presentation-definitions",
  "jwks_uri": "https://api-test.ebsi.eu/authorisation/v4/jwks",
  "scopes_supported": [
    "openid",
    "didr_invite",
    "didr_write",
    "tir_invite",
    "tir_write"
  ],
  "response_types_supported": [
    "token",
    "code"
  ],
  "response_mode_supported": [
    "query",
    "fragment"
  ],
  "grant_types_supported": [
    "vp_token",
    "authorization_code",
    "urn:ietf:params:oauth:grant-type:token-exchange"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "ES256"
  ],
  "request_object_signing_alg_values_supported": [
    "ES256"
  ],
  "request_parameter_supported": true,
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt"
  ]
}

Service-Specific Configuration

Each service registered with the VCVerifier can have its own OpenID configuration. The service_id path parameter determines which service’s configuration is returned.
Make sure to use the correct service_id that matches your registered service. Using an invalid service ID will result in an error.

Grant Types

The VCVerifier supports several OAuth 2.0 grant types:

Verifiable Presentation Token

"grant_types_supported": ["vp_token"]
Allows clients to exchange verifiable presentation tokens for access tokens. This is specific to verifiable credential flows.

Authorization Code

"grant_types_supported": ["authorization_code"]
Standard OAuth 2.0 authorization code flow for exchanging authorization codes for tokens.

Token Exchange

"grant_types_supported": ["urn:ietf:params:oauth:grant-type:token-exchange"]
Supports OAuth 2.0 Token Exchange (RFC 8693) for exchanging one token for another.

Usage Pattern

Clients should fetch the OpenID Configuration at startup or cache it appropriately: 
const serviceId = 'packet-delivery-portal';
const configUrl = `https://verifier.example.com/services/${serviceId}/.well-known/openid-configuration`;

const response = await fetch(configUrl);
const config = await response.json();

// Use the discovered endpoints
const authEndpoint = config.authorization_endpoint;
const tokenEndpoint = config.token_endpoint;
const jwksUri = config.jwks_uri;

console.log('Configured endpoints:', {
  authorization: authEndpoint,
  token: tokenEndpoint,
  jwks: jwksUri
});

Error Responses

If the service ID is not found or configuration generation fails: 
{
  "summary": "service_not_found",
  "details": "The requested service configuration does not exist."
}

Standards Compliance

This endpoint implements:

Build docs developers (and LLMs) love

Get started for freeTalk to us